We can see that of those who haven’t experienced failures, only 1% believe that they are worse than average – and even among companies that have experienced failures, fully 87% believe that they are as least as good as their peers. Unless the Economist has stumbled across a particularly great group of companies to study, it seems clear that most organizations are overestimating the quality of their GRC practices, and hence underestimating the real risks they are running…

There’s also data in the report that seems to indicate that the finance function is the mostly likely to be blindsided – as you can see in the chart below, they are far more likely to say that there was no significant risk or compliance failure in the past three years. Since this is not a group known for their exuberant optimism, it’s likely that they simply didn’t know about the risks run by the other teams…